Despite Security Minister Ben Wallace’s attempts to downplay it,[2] the Court of Appeal’s ruling in the Watson case (SSHD v Watson & others)[3] continues the drip of cases finding the Government’s draconian attempt to access bulk communications data (BCD) unlawful. Concerning the now expired sections 1 and 2 of Data Retention and Investigatory Powers Act 2014 (DRIPA), the ruling impacts Part 4 of the Investigatory Powers Act 2016. Although amendments are already tabled, the upcoming judicial review brought by Liberty means the Government should heed the court’s warning. Watson and related cases centre on the state’s power to retain and access bulk communications data and privacy and communications rights.[4] In this knotty area three key lessons can be found.

The Purpose of Data Retention matters

The ruling relates to EU directives on Privacy and Electronic Communications[5] and a December 2016 Court of Justice of the European Union (CJEU) Grand Chamber three part ruling.[6] First, it is unlawful for a domestic law to provide for the general and indiscriminate retention of all traffic and location data (sometimes referred to as metadata). Second, any power which gives a public authority the power to access or compel access to retained data must (a) only be for the purpose of fighting serious crime; [7] (b) have prior approval from a court or an independent authority;[8] and (c) ensure the data remain within the EU.[9] These are known as the Watson Requirements. Finally, the CJEU refused to rule on the potential conflict between the EU’s Charter of Fundamental Rights and the European Convention on Fundamental Rights (ECHR). I will not comment on this third issue.

According to the Court of Appeal, DRIPA 2014 did not meet the CJEU’s conditions. It neither restricted data access to fighting serious crime nor required prior approval, which means it was inconsistent with EU law (or would have been were DRIPA still in force).[10] While the significance of this must not be understated – it continues to dent the UK’s ambition to access and retain as much data as possible – the lack of declaration on issue one and part (c) of issue two is interesting, but not necessarily unsurprising.

The Court did not rule on part one because the issue relating to Part 4 IPA 2016 is the subject of Liberty’s judicial review, due to be heard in late February. The Court further claimed the relevant part of the dispositif was directed to a Swedish law even though it could be regarded as having general application (and Lord Lloyd-Jones initially thought so).[11] Unusually, the court allowed further submissions after the draft judgement was circulated in which the Government argued that upholding part one relied on a restrictive and inaccurate interpretation of Digital Rights Ireland (the original impetus for DRIPA).[12] It will be interesting to see if the Court agrees in upcoming judicial review.

The government thinks rights are always less important than national security

When it comes to national security, the government, the courts and the Security and Intelligence Agencies (SIAs) get rather exercised. They argue, with some considerable force, that national security is the paramount government responsibility and sits squarely within the realm of prerogative power. In other words, the courts, UK or European, have no business of telling the government what it can and cannot do. This is a long established area of law.[13] Repeating a recent related decision by the Investigatory Powers Tribunal (IPT), the Court of Appeal highlighted how far national security co-opts the courts. The use of bulk communications data is ‘essential’ to national security and can identify ‘previously unknown’ threats to national security swiftly and provide a basis for action ‘in the face of an imminent threat.’[14] Further, as the UK courts have previously found the regime consistent with ECHR requirements, were the Watson requirements enforced it would ‘frustrate’ national security.[15]

Don’t be fooled by the legal-ese here, these are strong words. If the powers to compel retention of data and the provision of access to SIAs are not upheld in the scheme as it stands, the CJEU would be putting UK national security at risk. The continued attempts to fight restrictions on access to data, the strength of the words and the fraught back and forth judgements between the UK courts and the CJEU indicate how little regard the UK government has to privacy and other digital rights. National security is used as a blanket justification for expansive and intrusive surveillance and the UK courts appear minded to accept it.

Data Transfer outside the EU might be permitted with ‘safeguards’

The transfer of the data retained and accessed outside the EU is one of the muddier parts of the Court of Appeal’s ruling, except that it declined to rule on it. The line to take note of comes in paragraph 17 of the judgement. The court noted the CJEU judgment could be interpreted as saying either (a) that the data could never be transferred outside of the EU, or (b) the data should be retained within the EU, except when there were ‘adequate safeguards’ or when the transfer only concerned related products but not the data itself. The Privacy International ruling suggested ‘independent authority’ supervision would be an adequate safeguard.[16] It is not entirely surprising that these suggestions have been made. The use of independent and expert authorities to ‘check’ the government’s potential infringement of rights has grown in the last decade or so. Quite whether these systems actually provide such check with sufficient consideration of rights remains to be seen.[17]

[5] Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications); Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws.